IBM 10 SP1 EAL4 Manuale Utente
mac = MAC (key, sequence_number || unencrypted_packet)
where unencrypted_packet is the entire packet without MAC (the length fields, payload and padding),
and sequence_number is an implicit packet sequence number represented as uint32. The sequence
number is initialized to zero for the first packet, and is incremented after every packet, regardless of
whether encryption or MAC is in use. It is never reset, even if keys or algorithms are renegotiated
later. It wraps around to zero after every 2^32 packets. The packet sequence number itself is not
included in the packet sent over the wire.
The MAC algorithms for each direction must run independently, and implementations must allow
choosing the algorithm independently for both directions. The MAC bytes resulting from the MAC
algorithm must be transmitted without encryption as the last part of the packet. The number of MAC
bytes depends on the algorithm chosen. The default MAC algorithm defined is the hmac-sha1 (with
digest length = key length = 20).
where unencrypted_packet is the entire packet without MAC (the length fields, payload and padding),
and sequence_number is an implicit packet sequence number represented as uint32. The sequence
number is initialized to zero for the first packet, and is incremented after every packet, regardless of
whether encryption or MAC is in use. It is never reset, even if keys or algorithms are renegotiated
later. It wraps around to zero after every 2^32 packets. The packet sequence number itself is not
included in the packet sent over the wire.
The MAC algorithms for each direction must run independently, and implementations must allow
choosing the algorithm independently for both directions. The MAC bytes resulting from the MAC
algorithm must be transmitted without encryption as the last part of the packet. The number of MAC
bytes depends on the algorithm chosen. The default MAC algorithm defined is the hmac-sha1 (with
digest length = key length = 20).
•
Certificate format: The default certificate format used is ssh-dss signed with Simple DSS. Signing
and verifying using this key format is done according to the Digital Signature Standard [FIPS-186]
using the SHA-1 hash. A description can also be found in [SCHNEIR].
and verifying using this key format is done according to the Digital Signature Standard [FIPS-186]
using the SHA-1 hash. A description can also be found in [SCHNEIR].
•
Key exchange protocol: The default key exchange protocol is diffie-hellman-group1-sha1. The
diffie-hellman-group1- sha1 method specifies Diffie-Hellman key exchange with SHA-1 as HASH.
diffie-hellman-group1- sha1 method specifies Diffie-Hellman key exchange with SHA-1 as HASH.
Sections 5.12.2.1 and 5.12.2.2 briefly describe the implementation of SSH client and SSH server. For detailed
information about the SSH Transport Layer Protocol, SSH Authentication Protocol, SSH Connection
Protocol, and SSH Protocol Architecture, refer to the corresponding protocol documents at
information about the SSH Transport Layer Protocol, SSH Authentication Protocol, SSH Connection
Protocol, and SSH Protocol Architecture, refer to the corresponding protocol documents at
5.12.2.1 SSH client
The ssh client first parses arguments and reads the configuration (readconf.c), then calls
ssh_connect() (in sshconnect*.c) to open a connection to the server, and performs authentication
ssh_connect() (in sshconnect*.c) to open a connection to the server, and performs authentication
(ssh_login() in sshconnect.c). Terminal echo is turned off while users type their passwords. SSH
prevents the password from being displayed on the terminal as it is being typed. The SSH client then makes
requests such as allocating a pseudo-tty, forwarding X11 connections, forwarding TCP-IP connections and so
on, and might call code in ttymodes.c to encode current tty modes. Finally, the SSH client calls
client_loop() in clientloop.c.
The client is typically installed suid root. The client temporarily gives up this right while reading the
configuration data. The root privileges are used to make the connection from a privileged socket, which is
required for host-based authentication and to read the host key for host-based authentication using protocol
version 1. Any extra privileges are dropped before calling ssh_login(). Because .rhosts support is
requests such as allocating a pseudo-tty, forwarding X11 connections, forwarding TCP-IP connections and so
on, and might call code in ttymodes.c to encode current tty modes. Finally, the SSH client calls
client_loop() in clientloop.c.
The client is typically installed suid root. The client temporarily gives up this right while reading the
configuration data. The root privileges are used to make the connection from a privileged socket, which is
required for host-based authentication and to read the host key for host-based authentication using protocol
version 1. Any extra privileges are dropped before calling ssh_login(). Because .rhosts support is
not included in the TSF, SSH the client is not suid root on the system.
5.12.2.2 SSH server daemon
The sshd daemon starts by processing arguments and reading the /etc/ssh/sshd_config
configuration file. The configuration file contains keyword-argument pairs, one per line. Refer to the
sshd_config man page for available configuration options. It then reads the host key, starts listening for
sshd_config man page for available configuration options. It then reads the host key, starts listening for
connections, and generates the server key. An alarm regenerates the server key every hour.
When the server receives a connection, it forks a process, disables the regeneration alarm, and starts
communicating with the client. The server and client first perform identification string exchange, and then
negotiate encryption and perform authentication. If authentication is successful, the forked process sets the
effective user ID to that of the authenticated user, performs preparatory operations, and enters the normal
session mode by calling server_loop() in serverloop.c.
When the server receives a connection, it forks a process, disables the regeneration alarm, and starts
communicating with the client. The server and client first perform identification string exchange, and then
negotiate encryption and perform authentication. If authentication is successful, the forked process sets the
effective user ID to that of the authenticated user, performs preparatory operations, and enters the normal
session mode by calling server_loop() in serverloop.c.
191